Wednesday, September 30, 2009

That's why it's important for network administrators to be able to audit the user passwords in use on their networks to ensure that they are hard to crack, regularly changed, and never re-used. One tool to help with that is L0phtcrack.

You may well be familiar with tools such as Ophcrack and John the Ripper, which allow administrators to see if a password on a given machine is easily crackable, but few have been designed to allow a network administrator to audit a large number of machines on a network automatically.

Fortunately, L0phtcrack—a very old password auditing tool originally developed by a hacker collective and eventually bought by Symantec—is back on the market and addresses just that problem.

Symantec withdrew the tool in 2005, but recently the company sold L0phtcrack back to the original developers, who have now released L0phtcrack 6 as a commercial product.

To make it easy for administrators, L0phtcrack can get these directly from other machines on the network remotely. To do this, Linux machines must be running an SSH service and have an administrator level auditing account set up, and Windows machines need to be running the appropriate L0phtcrack remote agent software (either 32-bit or 64-bit) which encrypts the hash data and sends it back to the system running L0phtcrack.

L0phtcrack can also accept hash files acquired in other ways: for example SAM files copied from Windows machines that have been booted into an alternative operating system from a live CD, or acquired using a locally run utility like PWDump, or a remotely run utility like fgdump .

This may be practical in small organizations, but unfeasible where hundred or even thousands of machines need auditing. It can also audit passwords on the machine on which it is running.

Where the network topology is appropriate, L0phtcrack can also sniff network traffic to capture password hashes from SMB authentication sessions.

Audits can be started manually, or can be scheduled to take place on a regular basis. Once L0phtcrack is in possession of groups of password hashes, it subjects them to a number of attacks. After checking that the password is not the same as the username, it carries out:

Dictionary attack: a straight forward attack which goes through a word list to find a match. This is very quick and finds simple passwords such as "monkey" or "password". L0phtcrack comes with a reasonable word list, but more comprehensive ones can also be used.

Hybrid attack: This is a more sophisticated dictionary attack, carrying out common letter and symbol substitutions such as 3 for E and $ for S. It can also add symbols or numbers to either the beginning or end of words. This can be useful because many users who are told to make passwords using letters and numbers simply add a digit or two to the end of a guessable word. A hybrid attack would find passwords such as "pa$$word", "h3lp" or "monkey1".

Pre-computed attack: this attack makes use of rainbow tables, or sets of pre-computed hashes, for a huge number of passwords. L0phtcrack comes with a utility for generating rainbow tables, which is a lengthy process, or you can download suitable tables from Free Rainbow Tables . Once you have the tables stored on your system hashes can be looked up and if they are present in the rainbow tables each password can be recovered in a few minutes or seconds.

Brute force attack: this tries every combination of various sets of characters methodically until a password is found. Passwords made up of letters and numbers could take about a day to crack, while more complex ones with special characters such as #, * and } could take months.

Remediating Problem Passwords

Auditing passwords is only one small part of addressing password security: Remediating problems is also important.

"What we have done is tried to look at what network administrators would want to do if they discover that passwords are easily crackable or have been reused on many different machines," says Chris Wysopal, one of the creators of L0phtcrack.

Once a machine or a group of machines has been audited in L0phtcrack the administrator is presented with a report, and information including the security rating and age of various passwords.

This enables the administrator to very quickly select groups of accounts such as those with weak passwords, ones with passwords that have not been changed within a certain time, or ones which L0phtcrack was able to crack quickly, and either disable those accounts or force the user to change the password at the next login.

L0phtcrack is available in three versions: Pro, Administrator and Consultant. The Pro version is limited to 500 accounts, and does not include rainbow table support.

The Administrator version adds rainbow tables and audit scheduling, and support for an unlimited number of user accounts. The consultant version also allows for unlimited client installation for one year. Pricing is currently $295 for the Pro version, $595 for the Administrator version, and $1195 for the Consultant version.

Is it worth it? The software is certainly fast, and much easier to use than a command line program like John the Ripper.

It also provides far more cracking options than either John or Ophcrack, and its management functions (such as reporting and account disabling) could prove valuable in some organizations.

The main drawback for many potential buyers is that, like John and Ophcrack, the software comes from an unconventional group of coders rather than a large, established security company.

But Wysopal insists that that should not put off potential purchasers. "L0phtcrack has been around for many years and has got a very good reputation. The fact that it comes from us and not Symantec should really not be a problem."

Tuesday, September 29, 2009

Over at Wi-Fi Planet’s monthly Ask the Wi-Fi Guru column, we receive a large helping of reader questions. Over time, some common themes have emerged—problems with wireless signal strength, securing connections, and anything related to the iPhone, for example.

But, even given the intensity of interest in these topics, the single most popular subjects amongst those seeking wireless networking help from Wi-Fi Planet are wireless bridging and wireless repeating.

Given the hunger among our readers for more information about DD-WRT and how to create wireless bridges and repeaters with it, we’ve put together this new tutorial series. Consider it “Building a Wireless Bridge, Volume II: Full Throttle.”

Bridge to somewhere

In the real world, a bridge connects two land masses, often separated by water. In wireless networking, a bridge is used to connect two local area networks (or LAN’s) separated by, well, air.

You can think of a wireless router as the center of a single LAN. Every device connected to a single router—whether connected physically by Ethernet cable or wirelessly—is part of the same LAN.

Now suppose you have a device that is not part of the LAN, but you want it to be. The problem is that you don’t have an easy way to connect it.

For example, you might have a printer or a gaming console, such as the Xbox or Wii, which only has a cabled Ethernet connection. If the device is far away or on another floor from your wireless router, running a cable could be complicated.

The solution is a wireless bridge. Using a second wireless router installed with DD-WRT, the router will connect to your primary router and share the network with any connected Ethernet devices (most routers have four built-in Ethernet ports, but you can add one or more external switches with four, eight, or more ports each to expand even further).

In a wireless bridge setup, the devices connected to your secondary router will be part of the same LAN as your primary router, as if every device were connected to your primary router. This means that all machines in the LAN can see each other so that a computer can access a printer or two computers can share files, for example.

Now suppose a different scenario—you want to set up one or more machines with shared Internet access, but you want to “borrow” that Internet access from a primary router, which is elsewhere. In other words, you don’t want to join the primary router’s LAN, you just want to piggyback on its Internet access for a separate LAN.

The solution is a wireless client, which is also a configuration mode in DD-WRT. The principle behind a wireless client is much the same as a wireless bridge, but the wireless client mode creates a second LAN around your secondary router.

This allows you to create separate LANs and firewall traffic from each differently, but devices in one LAN may not be able to see devices in the other.

Most home and small business networks will find the wireless bridge mode more useful than wireless client mode, although for simply extending an Internet connection either mode will work.

The important thing to remember when using either wireless bridge or wireless client modes is that your secondary router is not broadcasting a wireless signal.

In other words, it is receiving a wireless signal from your primary router and sharing that with wired devices. You cannot connect to your secondary router with a Wi-Fi-enabled machine, such as a laptop, printer, or iPod touch.

Repeater repeater

Thanks to DD-WRT, it is possible to create a wireless client or a bridge which also broadcasts a wireless signal. This is called a repeater, and DD-WRT supports two kinds—a wireless repeater and a repeater bridge.

Both modes function like their earlier counterparts. In repeater bridge mode, the secondary router creates a wireless bridge to the primary router, meaning it shares the same LAN.

But in addition to connecting wired devices, it re-broadcasts a wireless signal using a “virtual” radio, allowing both wireless and wired devices to join the primary router’s LAN.

In contrast, wireless repeater mode is akin to wireless client mode, creating a new LAN around the secondary router.

The advantage of repeater mode is obvious: you can effectively extend the range of your primary router’s wireless signal.

But there is also a disadvantage: wireless devices connected to your secondary router will lose half the bandwidth of your LAN.

This means that their network speeds will be slower especially for internal networking, such as file-sharing or streaming media.

Slower wireless speeds from the repeater are a result of how the secondary router must operate: it needs to receive a signal from the primary router and then re-broadcast that signal locally.

But the router has only one radio and so can only do one of these things at a time.

In practice it switches between modes rapidly so that it appears both are happening at once, but in fact by operating in “half-duplex” mode like this, the maximum signal speed is halved. (We will look at one solution in the next installment of this series.)

Over the weekend I was running my usual route and doing my usual thinking…about Linux. A strange thought crossed my mind as my music-listening-device (not an iPod thank you very much) jumped from one genre of music to another: What would my ideal operating system consist of?

While running, a lot of possibilities crossed my brain: Which kernel, which desktop, which multi-media system, which printing system…the possibilities went on and on. But one issue that I struggled with was the idea that I wanted to have SOMETHING from the Windows operating system within my “ideal OS.”

With that in mind I sat out to create an OS that included something from all of the MAJOR operating systems. Of course this is just fiction - we all know getting pieces of these OSes to work together just simply won’t ever be done.

Still, you get to see my take on the ideal operating system. Why don’t you chime in and let us know what YOUR ideal operating system would look like.

Kernel: Linux. I have to go this route simply because it’s the only kernel of the major players that can be customized. And, in order for this to be an IDEAL operating system, you can bet this kernel would have to be customized. Naturally the idea here would be to avoid bloat.

HAL: NetBSD. The NetBSD Hardware Abstraction Layer is one of the cleanest, and most portable HALs around.

Network subsystem: Linux. For me this was an obvious choice because of the huge flexibility Linux networking has to offer. And besides, Linux was designed to be online.

Printing subsystem: I have to give this one to Windows. The primary reason for this, and it relates to another category Windows owns, is that so many printers are now all-in-one devices.

Yes Linux can use these devices, but generally speaking, they can only use the printing system. If I have an all-in-one, I want to be able to use all of the features in my hardware. This was a tough one because with the CUPS system you can easily set up a printer server using Linux.

I do not agree with the author at this at all. This is not a Windows lead here at all. What if these manufacturers did not create drivers for Windows like Linux's case?

I thought he would compare the printing subsystem itself not the drivers. CUPS for example is feature-rich one if compared to Windows'.

USB system: This one goes to OS X. For many the USB system just works. But the OS X take on USB is the cleanest and most user-friendly available.

Not quite sure but I am sure that Linux has USB 3.0 before any others.

Hardware recognition: Windows 7. There is very little doubt that Windows offers some of the best hardware recognition out there. And it should, most hardware vendors aren’t smart enough to create os-neutral hardware so they create it for one operating system.

Again I do not agree with him. My experience and most of us do install Windows and afterwards install at least 2 or 3 hardware drivers which means Windows does not detect them automatically. It was very very rare that I have never used drivers available with the hardware.

On the contrary, Linux has never over loaded me with external hardware drivers especially Network and SCSI ones. I do not recall during my past 8 years of working with several hardware vendors with dozens of SCSI/Network controllers that I needed to have external driver. While Windows has never supported any of these SCSI/Network cards out of the box.

Desktop: Remember, this is MY ideal operating system. So I am going with the combination of Enlightenment E17 and Compiz (the one used for Elive+Compiz). It’s a lightweight, fast, user-friendly desktop that has enough eye candy to not only keep up with the Jones’, but (in most cases) blow them away.

Yes I agree with him; E17 is very light and lightening fast. I just would like to add that many people do claim that Windows is a better desktop than Linux. This is true bullshit. It is just a matter of being used to this Windows box no more.

If we are going to compare apple-to-apple then Linux will win with an order of magnitude. Just yourself a chance and try Ubuntu or any other Linux distro and you will realize what I mean. I have been using both for the pas several years at home and at work on my desktop and at the data centre and really productivity with Linux is supperceding Windows one.

Multi-Media system (and subsystems): OS X. I will preface this by saying I am not a fan of the iPod. But that doesn’t take away from the fact that OS X does have an outstanding system for multi-media. It’s a rare occasion you can throw a media file at this OS and not have it played.

VLC on Linux/Windows/MacOSX can do this. I use it to play RMVB files too.

Package management: Without a doubt this one goes to Ubuntu (or any OS that is based on apt/apt-get). The Synaptic application is one of the finest software installation management tools available. It’s simple, reliable, and very user friendly. But I would add, in my “dream os,” that all software vendors would bring their titles to the repositories for my ideal operating system.

Yes 100% and Windows really really sucks at this part.

Security: OpenBSD. Without a doubt, OpenBSD has the best security of any operating system that is actually connected to a network. With only two remote attack vulnerabilities found in the last decade, how can you argue with this choice?

Sunday, September 27, 2009

This tutorial describes how to install and configure Snort intrusion detection system (IDS), ACIDBASE (Basic Analysis and Security Engine), MySQL, and Apache2 on Ubuntu 9.04 using packages from Ubuntu’s Synaptic Package Manager.

Snort will assist you in monitoring your network and alert you about possible threats. Snort will output its log files to a MySQL database which ACIDBASE will use to display in a graphical interface in web browser.

1. System Preparations & Software Installations

1.1 Installation

1.2 Network & System Configuration

Connect you computer to the network. Although number of different network configurations will allow system to work, the preferred network configuration would be as follows:

Located in DMZ (De-Militarized Zone)

Static IP address with NAT hiding its IP behind Firewall

Connected to the monitoring port on the switch.

Create new administrator called , with password .

1.3 Software Installation

The first thing to do after installation completes is to it install all updates recommended by Ubuntu. To access updates proceed to System > Administration > Update Manager. Enter your password and select Check. Select Install Updates.
From the Desktop go to System > Administration > Synaptic Package Manager. Enter your password and select Search.
Search for the following packages and install them:

Acidbase with all affected packages

Snort-MySQL with all affected packages

MySql-server-5.0 with all affected packages

Libpcap0.8-dev

libmysqlclient15-dev

MySql-client-5.0

Bison

Flex

Apache2

Libapache2-mod-php5

Php5-gd

Php5-mysql

Libphp-adodb

Php-pear

SSH

2. Gain Root Access

From the Desktop go to Applications > Accessories > Terminal and type:

Scroll down the list to the section with # output database: log, mysql, user=, remove the # from in front of this line. Example: output database: log, mysql, user= password= dbname=snort host=localhost (see above when new user was created).

Make note of the username, password, and dbname. You will need this information when we set up the MySQL db.

Save and quit.

4. Setup the snort and archive MySQL databases

4.1 MySQL setup

Log into the MySQL server.

# mysql -u root -p

Sometimes there is no password set so just hit enter.
If you get a failed logon, try the above command again and enter YOUR_PASSWORD.
If there is no password you need to create a password for the root account.
Note: Once you are in MySQL the # is now a mysql>

4.5 Confirm creation of databases and existence of newly created tables

Logon to MySQL and check for databases we just created and tables inside of those databases. If everything was created successful you will see four (4) databases (mysql, test, snort and archive) in mysql databases and approximately 16 tables in each of the databases.

Mihneti.com is a leading recruiting portal specializing in providing an online interaction environment to connect employers and employees. The prevalence of online recruitment shows that there is little competitive edge in having a job site unless it offers a fast, candidate-friendly and engaging job hunting experience. Our goal is to make finding your next job a simple yet effective, enjoyable

This guide explains how to set up software RAID1 on an already running CentOS 5.3 system. The GRUB bootloader will be configured in such a way that the system will still be able to boot if one of the hard drives fails (no matter which one).

I do not issue any guarantee that this will work for you!

1 Preliminary Note
In this tutorial I'm using a CentOS 5.3 system with two hard drives, /dev/sda and /dev/sdb which are identical in size. /dev/sdb is currently unused, and /dev/sda has the following partitions:

3 Preparing /dev/sdb

To create a RAID1 array on our already running system, we must prepare the /dev/sdb hard drive for RAID1, then copy the contents of our /dev/sda hard drive to it, and finally add /dev/sda to the RAID1 array.

First, we copy the partition table from /dev/sda to /dev/sdb so that both disks have exactly the same layout:

4 Creating Our RAID Arrays

Now let's create our RAID arrays /dev/md0, /dev/md1, and /dev/md2. /dev/sdb1 will be added to /dev/md0, /dev/sdb2 to /dev/md1, and /dev/sdb3 to /dev/md2. /dev/sda1, /dev/sda2, and /dev/sda3 can't be added right now (because the system is currently running on them), therefore we use the placeholder missing in the following three commands:

Now up to the GRUB boot loader. Open /boot/grub/menu.lst and add fallback=1 right after default=0:

vi /boot/grub/menu.lst

[...]
default=0
fallback=1
[...]

This makes that if the first kernel (counting starts with 0, so the first kernel is 0) fails to boot, kernel #2 will be booted.
In the same file, go to the bottom where you should find some kernel stanzas. Copy the first of them and paste the stanza before the first existing stanza; replace root=LABEL=/ with root=/dev/md2 and root (hd0,0) with root (hd1,0):

root (hd1,0) refers to /dev/sdb which is already part of our RAID arrays. We will reboot the system in a few moments; the system will then try to boot from our (still degraded) RAID arrays; if it fails, it will boot from /dev/sda (-> fallback 1).
Next we adjust our ramdisk to the new situation:

Now we must change the partition types of our three partitions on /dev/sda to Linux raid autodetect as well:

fdisk /dev/sda

[root@server1 ~]# fdisk /dev/sda

The number of cylinders for this disk is set to 1305.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)

WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table.
The new table will be used at the next reboot.
Syncing disks.
[root@server1 ~]#

Now we can add /dev/sda1, /dev/sda2, and /dev/sda3 to the respective RAID arrays:

8 Preparing GRUB (Part 2)

We are almost done now. Now we must modify /boot/grub/menu.lst again. Right now it is configured to boot from /dev/sdb (hd1,0). Of course, we still want the system to be able to boot in case /dev/sdb fails. Therefore we copy the first kernel stanza (which contains hd1), paste it below and replace hd1 with hd0. Furthermore we comment out all other kernel stanzas so that it looks as follows:

It should boot without problems.
That's it - you've successfully set up software RAID1 on your running CentOS 5.3 system!

9 Testing

Now let's simulate a hard drive failure. It doesn't matter if you select /dev/sda or /dev/sdb here. In this example I assume that /dev/sdb has failed.
To simulate the hard drive failure, you can either shut down the system and remove /dev/sdb from the system, or you (soft-)remove it like this:

Then put in a new /dev/sdb drive (if you simulate a failure of /dev/sda, you should now put /dev/sdb in /dev/sda's place and connect the new HDD as /dev/sdb!) and boot the system. It should still start without problems.
Now run